标签:另一个 应该 break windows amp sign 异或 info turn
今天早点干活
仍然是常规的Windows可执行程序逆向,拖入exeinfope之后发现没壳直接丢进IDA,找到main函数进入
int __cdecl main(int argc, const char **argv, const char **envp) { int v3; // edx int result; // eax size_t i; // [esp+4Ch] [ebp-8Ch] char v6[4]; // [esp+50h] [ebp-88h] char flag[28]; // [esp+58h] [ebp-80h] char v8; // [esp+74h] [ebp-64h] print(&unk_446360, "Give me your flag:"); sub_4013F0(sub_403670); sub_401440((int)&dword_4463F0, v3, (int)flag, 127);//这两个应该是输入字符串 if ( strlen(flag) < 0x1E && strlen(flag) > 4 ) { strcpy(v6, "EIS{"); for ( i = 0; i < strlen(v6); ++i ) { if ( flag[i] != v6[i] ) { print(&unk_446360, "Sorry, keep trying! "); sub_4013F0(sub_403670); return 0; } } if ( v8 == 125 ) { if ( sub_4011C0(flag) )//该函数返回值为1时正确,进入该函数 print(&unk_446360, "Congratulations! "); else print(&unk_446360, "Sorry, keep trying! "); sub_4013F0(sub_403670); result = 0; } else { print(&unk_446360, "Sorry, keep trying! "); sub_4013F0(sub_403670); result = 0; } } else { print(&unk_446360, "Sorry, keep trying!"); sub_4013F0(sub_403670); result = 0; } return result; }
直接进入ssub-4011C0看看什么情况下返回值为1
bool __cdecl sub_4011C0(char *flag) { size_t v2; // eax signed int v3; // [esp+50h] [ebp-B0h] char v4[32]; // [esp+54h] [ebp-ACh] int v5; // [esp+74h] [ebp-8Ch] int j; // [esp+78h] [ebp-88h] size_t i; // [esp+7Ch] [ebp-84h] char flag_sub_first4[128]; // [esp+80h] [ebp-80h] if ( strlen(flag) <= 4 ) return 0; i = 4; j = 0; while ( i < strlen(flag) - 1 ) flag_sub_first4[j++] = flag[i++]; flag_sub_first4[j] = 0;//将flag除了前四位之外全部复制到另一个变量中 v5 = 0; v3 = 0; memset(v4, 0, 0x20u); for ( i = 0; ; ++i ) { v2 = strlen(flag_sub_first4); if ( i >= v2 ) break; if ( flag_sub_first4[i] >= 97 && flag_sub_first4[i] <= 122 ) { flag_sub_first4[i] -= 32; v3 = 1; } if ( !v3 && flag_sub_first4[i] >= 65 && flag_sub_first4[i] <= 90 ) flag_sub_first4[i] += 32; v4[i] = byte_4420B0[i] ^ sub_4013C0(flag_sub_first4[i]); v3 = 0; } return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0; }
发现该函数先把flag除了前四位之外全部复制到一个变量中,即除去main中的‘EIS{’
然后对所有的大写转变成小写,小写转变成大写,接着用一个简单的异或运算,将得到的字符串与已知字符串进行比较。
下面开始编写逆向代码python
v1 = [0x0D,0x13,0x17,0x11,0x02,0x01,0x20,0x1D,0x0C, 0x02,0x19,0x2F,0x17,0x2B,0x24,0x1F,0x1E,0x16, 0x09,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E, 0x1A,0x2D,0x0C,0x22,0x04]//byte_4420B0中的内容 v4 = "GONDPHyGjPEKruv{{pj]X@rF"//已知字符串 flag = ‘EIS{‘ v = 0 for i in range(24): a = v1[i] ^ ord(v4[i]) b = (a - 72) ^ 0x55 if b >= 97 and b <= 122: b -= 32 v = 1 if v == 0 and b >= 65 and b <= 90: b += 32 v = 0 flag += chr(b) flag += ‘}‘ print(flag)
EIS{wadx_tdgk_aihc_ihkn_pjlm}
---------------------------------------------------分割线-----------------------------------------------
仍然是简单的逆向分析题,没啥技巧,慢慢看代码然后求解就好,想求快唯手熟尔
2021.03.27_Reverse_xCTF_IgniteMe_WriteUp
标签:另一个 应该 break windows amp sign 异或 info turn
原文地址:https://www.cnblogs.com/m1nercy/p/14585556.html
